Critical Infrastructure Will Increasingly Come Under Attack and Service Providers Will Respond, but Governments Will Be Slow to React
Attackers have likely been watching the impact the Stuxnet threat had on industries using industrial control systems and are learning from it. We expect them to take the lessons learned from Stuxnet – the most significant example to-date of a computer virus designed expressly to modify the behavior of hardware systems to create a physical, real-world impact – and launch additional attacks targeting critical infrastructure over the course of 2011. Though slower to start, expect the frequency of these types of attacks to increase as well.

As evidence of this trend, Symantec recently conducted a study asking critical infrastructure providers about their opinion of cyberattacks against their industries. Forty-eight percent of respondents said they expect to come under attack in the next year and 80 percent believe the frequency of such attacks is increasing.

The overarching messages taken from the study’s findings are that there is a high level of awareness among critical infrastructure providers of the threat that exists and that critical infrastructure protection (CIP) is top of mind. Thus, expect to see these providers move forward with cybersecurity precautions. These precautions will focus not only on simply combating an attack, but on resiliency to survive an attack. This will include backup and recovery, encryption, storage and information management initiatives.

The Symantec study also found that the majority of critical infrastructure providers are supportive of and more than willing to cooperate with their government in CIP initiatives. However, do not expect to see a lot of movement in this regard from governments this year. For example, it’s unlikely that the U.S. government will pass CIP legislation in 2011. Evidence of this is the widespread changeover that recently happened in the U.S. Congress and the current presidential administration’s lack of indication that it will be making CIP a priority. CIP legislation and government initiatives in other countries face similar challenges.

Zero-Day Vulnerabilities Will Become More Common as Highly Targeted Threats Increase in Frequency and Impact

In 2010, Hydraq, a.k.a Aurora, provided a high-profile example of a growing class of highly targeted threats seeking to infiltrate either specific organizations or a particular type of computer system by leveraging previously unknown software vulnerabilities. Attackers have been using such security holes for many years, but as these highly targeted threats gain momentum in 2011, plan to witness more zero-day vulnerabilities coming to light in the next 12 months than in any previous year.

Symantec has already seen this trend begin to develop. In all of 2009 Symantec observed 12 zero-day vulnerabilities. As of early November 2010, Symantec has already tracked 18 previously unknown security vulnerabilities this year that were or are actively being used in cyberattacks. Nearly half of these – possibly more – have been used by targeted threats such as Stuxnet, which exploited a record four zero-day vulnerabilities; Hydraq; Sykipot; and Pirpi, which was identified just this month.

The key driver behind the growing use of zero-day vulnerabilities in targeted threats is the low-distribution nature of such malware. As opposed to traditional widespread threats that achieve success by attempting to infect as many computers as possible, targeted threats focus on just a handful of organizations or individuals – perhaps even just one – with the goal of stealing highly valuable data or otherwise infiltrating the targeted system. In such scenarios, the challenge for attackers is ensuring that they hit their target on the first try without getting caught. Using one or more zero-day vulnerabilities is an effective means to improve their odds that the targeted device(s) or computer(s) will be largely defenseless against their attack.

There is no traditional security technology that excels at detecting this type of threat. Traditional protections require security vendors to capture and analyze specific strains of malware before they can protect against them. The stealthy, low-distribution nature of targeted threats severely decreases the likelihood that security vendors will be able to create traditional detections to protect against them all. However, technologies such as Symantec’s SONAR, which detects threats based on their behavior, and Reputation-Based Security, which relies on the context of a threat rather than the content, turn the telling behavioral characteristics and low-distribution nature of these threats against them and make detection possible.

The Exponential Adoption of Smart Mobile Devices that Blur the Line Between Business and Personal Use Will Drive New IT Security Models.

The use of mobile devices such as the smartphones and tablets to meet both business and personal connectivity needs is growing at an unprecedented pace. Analyst firm IDC estimates that by year’s end new mobile device shipments will have increased by 55 percent and Gartner projects that in the same timeframe, 1.2 billion people will be using mobile phones capable of rich Web connectivity. As this proliferation shows no sign of slowing in the coming year, enterprises will gravitate to new security models to keep the sensitive data on and accessible through these devices safe.

Increasingly the same mobile devices are being used for personal and business use. This creates complex security and management challenges for three key groups: IT organizations, consumers and communication service providers.

IT organizations: Consumers are driving the innovation of mobile devices and bringing them into the enterprise, evidence of the ongoing consumerization of IT. This is especially true as organizations cut costs and require employees to use their personal devices for business. However, many enterprises lack an all-embracing solution for the many mobile operating systems, which can both keep enterprise data and application access safe while allowing the use of personal devices.
Consumers: The IT-ization of consumers means consumers today have more technology in the home they are using every day, but no dedicated IT staff to manage all these devices. This means that more often than not, they lack the tools to adequately protect their personal information from threats and device theft or loss. In fact, the physical security of consumer mobile device will be a real pain point this coming year. This will spur the need and adoption of locate, lock and remote wipe services.

Communication Service Providers: Carriers see continued decreased subscriber satisfaction resulting in customer turnover and increased costs associated with out of control mobile bandwidth increases, network misuse, malware proliferation and spam. Carriers need a single solution to manage customer preferences and security across all types of services including voice, email, SMS, MMS, Web, IM and P2P.

Traditionally, cyber criminals have paid only a passing interest in mobile devices; electing instead to focus their efforts where the greatest return on their investment could be had: the PC. Aside from a lack of feature-rich devices, a major barrier to creating successful mobile threats has always been the lack of a clear market leader, resulting in an attacker having to create multiple attacks, one for each platform, in order to develop a high success rate. However, IDC estimates that by year’s end, Android and Apple iOS devices are expected to own 31 percent of global market share.

As devices grow more sophisticated and as just a handful of mobile platforms corner the market, it is inevitable that attackers will key in on mobile devices in 2011 and that mobile devices will become a leading source of confidential data loss. Research by mobile specialist Mocana indicates that attacks against smart mobile devices already require or will require by year’s end the regular attention of IT staff for 65 percent of enterprise organizations surveyed.

IDC also estimates that 1 billion workers will be mobile at least part of the time or remote from their firm’s main location by the end of 2011. As this happens, enterprises will have to address the associated challenges by adopting new models, such as security in the cloud, for suitable solutions that will work seamlessly across multiple platforms and devices. Expect IT managers to be forced by business necessity to implement more granular and refined web security policies as well.

Regulatory Compliance Will Drive Adoption of Encryption Technologies More than Data Breach Mitigation

The explosion of mobile devices in the enterprise not only means organizations will face new challenges in keeping these devices and the sensitive data on them accessible and safe; they also must comply with various industry data protection and privacy regulations.

Enterprises are under ever-increasing pressure to meet a veritable alphabet soup of regulatory compliance standards. In the United States, this past year saw the enactment of the healthcare industry regulation HITECH and legislation in several states all aimed at protecting data. Internationally, PCI DSS was updated to 2.0. Despite regulations, many organizations do not currently disclose when mobile devices containing sensitive data are lost as they do with laptops. In fact, employees do not always report these lost devices to their organizations. This year, we expect that regulators will start cracking down on this issue and this will drive organizations to increasingly implement encryption technologies, particularly for mobile devices.

The Ponemon Institute’s 2010 Annual Study: U.S. Enterprise Encryption Trends study revealed that for the first time, regulatory compliance has surpassed data breach mitigation as the top reason why organizations deploy encryption technologies. Organizations are getting ahead of the curve with their encryption strategy before the breach occurs, not after.

In 2011, we will see organizations take a more proactive approach to data protection with the adoption of encryption technology in order to meet compliance standards and avoid the heavy fines and damage to their brands a data breach can cause.

A New Frontier in Politically Motivated Attacks Will Emerge
In the Symantec CIP study, more than half of all firms said they suspected or were pretty sure they had experienced an attack waged with a specific political goal in mind. In the past, these politically motivated attacks primarily fell in the realm of cyber espionage or denial of service-type attacks against Web services. As a recent example, distributed denial of service attacks were levied against blogs and forums criticizing the Vietnamese Communist Party. However, with Pandora’s box now opened due to Stuxnet expect to see these threats move beyond spy games and annoyances as malware is weaponized to cause real-world damage.

A highly complex threat, Stuxnet’s purpose is to reprogram industrial control systems – computer programs used to manage industrial environments such as power plants, oil refineries and gas pipelines. It is the first known malware to specifically target such systems. Stuxnet’s ultimate objective is to manipulate physical equipment attached to specific industrial control systems causing the equipment to act in a manner dictated by the attacker and contrary to its intended purpose. Such an outcome could have several underlying goals, but sabotage – which could result in real physical harm – is the most likely.

Though the exact target of Stuxnet is still unknown to this day, circumstantial evidence suggests Iran, or some organization or facility within Iran, was most likely the target of whichever well-funded group or nation state created the malware. Given these facts, it is not a stretch to assume the threat was politically motivated; potentially making Stuxnet the first politically charged cyberattack attempting to accomplish real-world destruction.

In reality, Symantec thinks Stuxnet is possibly just the first highly visible indication of attempts at what some might call cyber warfare that have been happening for some time now. In 2011, more indications of the ongoing pursuit to control the digital arms race will come to light.